Details

Description

I am using Unix user/group database for Security Realm and the SSH public key security for CLI added in version 1.419. This works great in 1.419 and 1.420, but is broken in 1.421 and 1.425 (and presumably versions in between... I discovered it didn't work in 1.425, which is currently the latest, and then went up from 1.419 until it broke).

I am guessing it has to do with one of these changes in 1.421

PAM authentication wasn't working with Ubuntu 11.04 (issue 9486)

PAM authentication now works with CLI login mechanism. (issue 9681)

Generalized the mechanism to control scopes of security permissions

I can insert a typo in my public key config to force an error with the authentication, in which case I will get an error saying the public key didn't work.

However, when everything is setup correctly, and I receive no errors regarding the ssh keys, I always get the following stack trace about the anonymous user when trying to use the CLI. This occurs for any CLI command that requires Administer permission. Read-only commands like version do work.

myhost:$ java -jar /opt/auto/jenkins/bin/jenkins-cli.jar -s http://myhost:9080 groovy /opt/auto/jenkins/bin/failedjobs.gsh
hudson.security.AccessDeniedException2: anonymous is missing the Administer permission
at hudson.security.ACL.checkPermission(ACL.java:53)
at hudson.model.Node.checkPermission(Node.java:381)
at hudson.cli.GroovyCommand.run(GroovyCommand.java:73)
at hudson.cli.CLICommand.main(CLICommand.java:184)
at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215)
at hudson.remoting.UserRequest.perform(UserRequest.java:118)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:287)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:417)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
at java.util.concurrent.FutureTask.run(FutureTask.java:123)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
at java.lang.Thread.run(Thread.java:595)

I'm having a very similar with ssh public keys, users, and the cli in 1.432.

I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.

Zeeshan Lakhani
added a comment - 2011-09-27 21:34 I'm having a very similar with ssh public keys, users, and the cli in 1.432.
I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.

Not sure if it came through below, but here's my issue (version 1.432, Solaris):

I'm having a very similar with ssh public keys, users, and the cli in 1.432.
I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.

Zeeshan Lakhani
added a comment - 2011-09-27 21:46 Not sure if it came through below, but here's my issue (version 1.432, Solaris):
I'm having a very similar with ssh public keys, users, and the cli in 1.432.
I have a user with all permissions (under matrix security) named jenkins. I generated a ssh key pair on the same server that my Jenkins instance is running on, via a user named jenkins. I copied and pasted the public key created into the jenkins user on the gui mgmt. console. When I then attempt to use the cli via the jenkins user on the server, it just times out, finally giving a stream termination error. I even had set the -i parameter, like so: java -jar -Xmx512M /home/jenkins/jenkins-cli.jar -i /home/jenkins/jenkins_rsa -s MY_JENKINS_URL. Additionally, I had jenkins_rsa as id_rsa, and it didn't work. Thanks.